By Trevor Timm<p>
Trevor Timm is
an activist and blogger at the Electronic Frontier Foundation. He has a law
degree from New York Law School.
</p>

April 27, 2012

On Thursday, April 26, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA), the first major Internet-regulation bill Congress has tried to pass since mass protests led to the spectacular collapse of the Stop Online Piracy Act (SOPA) in January. CISPA, while aimed at a much different subject, gained much the same ire as SOPA, given its potential effect on Internet freedom. Although sold as a bill that would strengthen cybersecurity, CISPA would have huge implications for Internet users’ privacy both domestically and abroad if the Senate passed it in the coming weeks and it became law.

According to the bill’s main author, Rep. Mike Rogers (R-Mich.), CISPA’s main purpose is to allow companies and the government to share information to prevent and defend against cyberattacks. But the bill’s language is written so broadly that it carves out a giant cybersecurity loophole in all existing privacy laws.

The problem is in the bill’s definition of "cyber threat information" and how companies can respond to it. "Cyber threat information" is an overly vague term that can be interpreted to include a wide range of tasks that normally wouldn’t be considered cyberthreats — like encrypting emails or running an anonymization tool such as Tor — and as a result, a company’s options would be so numerous as to allow it to read any user’s communications for a host of reasons.

Those communications could then be handed over to the government voluntarily without a warrant or anyoversight, nullifying well-established laws like the 1968Wiretap Act and the 1986 Electronic Communications Privacy Act, which prevent companies from reading your communications except under very specific circumstances and prevent the government from getting users’ communications without judicial review.

Once the U.S. government gets hold of such information, the problem intensifies. Private communications can be passed on to intelligences agencies like the National Security Agency (NSA) and the military — bypassing decades of law barring intelligence agencies from spying on Americans — and be used for other law enforcement purposes besides cybersecurity. Almost as an afterthought, the bill also increases government secrecy — already at an all-time high — by creating a new exception to the Freedom of Information Act for any information the government receives from companies.

It has become clear by now that CISPA is far more than a mere "cybersecurity" bill.

As such, CISPA has enraged civil liberties organizations and a host of other actors, from free market groups to Internet security experts. The bill’s flaws are so obvious that Barack Obama’s administration — despite strongly pushing Congress to pass cybersecurity legislation — issued a veto threat Wednesday, decrying the fact that CISPA "effectively treats domestic cybersecurity as an intelligence activity."

But that hasn’t stopped Rogers from continually insisting that he’s listening to the concerns of civil liberties groups and ordinary users. The congressman said Tuesday in response to criticism, "[Privacy advocates] have been very good working with us on language to get the bill to a point that helps them protect users and protect their civil liberties." He repeated much of those same claims on the House floor on Thursday, claiming that CISPA is "narrow" and "extremely limited" and that he was trying to accommodate the bill’s critics.

In reality, the opposite was true. Rogers refused to even allow some common-sense, substantive amendments to reach the House floor, such as requiring companies to remove an individual’s information before handing it over to the government, anonymizing data when it’s shared between agencies, or making sure the government gets a warrant before looking at identifying information. Rogers also rejected an amendment that would prevent military and intelligence agencies like the NSA from receiving sensitive user data under this cybersecurity program. Instead, he offered a handful of cosmetic changes that did nothing to alleviate anyone’s concerns.

Perhaps realizing that Congress was starting to catch on after co-sponsors started to change their minds during the debate, Rogers halted debate on additional amendments and called for an immediate floor vote a day earlier than scheduled. In the end, CISPA passed 248-168.

But despite the climactic outcome of Thursday’s vote, the battle over cybersecurity legislation is far from over. The same debate about privacy still looms in the Senate, where at least now, many of the same concerns will be front and center. A Senate version of the bill, sponsored by Sen. Joe Lieberman (I-Conn.), contains many of the same exceptions to federal privacy law. Sen. John McCain (R-Ariz.), who doesn’t think Lieberman’s bill goes far enough, is sponsoring a competing bill that would actually require that more control over the Internet be handed to the NSA.

But the debate over privacy is bigger than any of these bills. It has become increasingly clear that just about any U.S. regulation of the Internet affects users worldwide, both in practice and — perhaps even more crucially — as model legislation for other governments. Just as SOPA would have allowed for the censorship of foreign websites (in fact, those were its target), CISPA allows companies to access any communications — foreign or domestic — which could then end up in the hands of the U.S. government. Global Internet users have taken notice, with the NGO Avaaz gathering almost 800,000 signatures against CISPA, many of which are from people outside the United States.

The Obama administration’s "Internet freedom" agenda — already tarnished — is on the line, and at least this time, officials seem to realize that their actions will have a direct effect on their foreign policy. CISPA came to a floor vote the same week that the Obama administration issued an executive order targeting U.S. companies that sell censorship and surveillance gear to Iran and Syria. The order, though a step in the right direction, came under harsh criticism given that the NSA is allegedly still running much of its warrantless wiretapping program — first exposed in 2005 by the New York Times — at the same time Obama is decrying mass surveillance in other countries.

There are signs, however, that the Obama administration is learning that it can’t have a "do as I say, not as I do policy" when it comes to Internet freedom. During the SOPA debate, the State Department refused to comment on the bill despite virtually the entire tech industry complaining that it would amount to mass censorship. A spokesperson even released a statement at the time saying, "The Department of State does not provide comment on pending legislation," despite a provision that would have made much of the circumvention software it is funding — to the tune of tens of millions of dollars — illegal.

In stark contrast this time around, Secretary of State Hillary Clinton’s senior advisor for innovation, Alec Ross, was the first U.S. official to definitively say, "The Obama administration opposes CISPA," as he matter-of-factly told the Guardian Monday. Prior to that, the administration had only released a broad statement saying that "privacy and civil liberties" should be preserved in any cybersecurity bill.

Given the increased attention to cybersecurity around the world, governments will watch and learn from the U.S. experience. If the United States continues to preach privacy and civil liberties abroad while Congress passes a privacy-destroying bill at home, the results will be much the same as CISPA: a bill designed for a legitimate purpose, used as another excuse to encroach on the freedoms of ordinary citizens.